android镜像分析
关键字:反汇编、 内核
涉及工具:mkbootimg、 unpackbootimg、 gzip、 readelf、objdump、simg2img、mount、extract-dtb.py、dt、cpio
目录
1、Android bootimg kernel(boot.img)
1.1、内核boot.img-zImage分析
1.2、设备树
1.3、根目录
2、emmc_appsboot.mbn:
3、splash.img:
4、dtbo.img:
5、mdtp.img:
6、vbmeta.img:
7、Linux rev 1.0 ext4 filesystem data(persist.img)
8、Android sparse image(system.img、userdata.img、vendor.img):
9、Super.img :
上篇日志分析可以看到开机流程中需要使用很多分区,这些分区在eMMC中占用不同的空间,其占用信息存储于分区表(GPT)中。高通智能机分区表详细解析_rockly89的博客-CSDN博客_fsc分区里面是比较全的分区描述,android P以后才有的vbmeta用于验证、dtbo是设备树叠加层。下面是dev下block节点读的信息。
这个博客主要研究刷机到底刷进去的是什么。MP镜像不管,只分析android的镜像。查看Android源码编出来的文件。
file . *
boot.img: Android bootimg, kernel, ramdisk, page size: 2048, cmdline (console=ttyMSM0,115200,n8 androidboot.console=ttyMSM0 androidbo)dtbo.img: dataemmc_appsboot.mbn: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, strippedipsm.img: Android sparse image, version: 1.0, Total of 393216 4096-byte output blocks in 22 input chunks.license.img: Android sparse image, version: 1.0, Total of 4096 4096-byte output blocks in 8 input chunks.mdtp.img: datapersist.img: Linux rev 1.0 ext4 filesystem data, UUID=d9a6bc78-9d91-4760-9f23-ea9d57708460 (extents) (large files) (huge files)secure.img: Android sparse image, version: 1.0, Total of 4096 4096-byte output blocks in 8 input chunks.splash.img: datasystem.img: Android sparse image, version: 1.0, Total of 688640 4096-byte output blocks in 27 input chunks.userdata.img: Android sparse image, version: 1.0, Total of 1324921 4096-byte output blocks in 30 input chunks.vbmeta.img: datavendor.img: Android sparse image, version: 1.0, Total of 192000 4096-byte output blocks in 17 input chunks.
从上面可以看出
Android sparse image(稀疏)格式最多,这种格式可以理解文件系统的一种压缩格式,查看需解压。(差分升级如果包括该类镜像,不要用这种格式直接做差分diff)
Linux rev 1.0 ext4 filesystem data,是一种文件系统格式,也是Android sparse image(稀疏)格式的解压,可直接挂载查看。
data,数据类型,该类型实际是未识别的类型,其中splash.img和vbmeta.img未识别,我们后面再分析。(实际电子设备上存储的所有东西都可认为是data)
Android bootimg kernel格式最复杂,主要包含cmdline,设备树,内核,文件系统。由google的andorid源码工具mkbootimg制作,本blog大部分篇幅介绍的是boot.img镜像解析和反汇编。
ELF 32-bit LSB executable,是执行文件类型,其实boot.img镜像中内核可以当作执行文件,为了理解执行文件,将反汇编emmc_appsboot.mbn和boot.img中的内核。
1、Android bootimg kernel(boot.img)
boot.img包含内核,根文件系统,设备树,cmdline。编译使用mkbootimg,解压使用unpackbootimg,GITHUB上不少该工具。
先用unpackbootimg boot.img解压
boot.img: Android bootimg, kernel, ramdisk, page size: 2048, cmdline (console=ttyMSM0,115200,n8 androidboot.console=ttyMSM0 androidbo)
boot.img-base: ASCII text
boot.img-board: very short file (no magic)
boot.img-cmdline: ASCII text, with very long lines
boot.img-dtb: very short file (no magic)
boot.img-hash: ASCII text
boot.img-kerneloff: ASCII text
boot.img-oslevel: ASCII text
boot.img-osversion: ASCII text
boot.img-pagesize: ASCII text
boot.img-ramdisk.gz: gzip compressed data, from Unix
boot.img-ramdiskoff: ASCII text
boot.img-secondoff: ASCII text
boot.img-tagsoff: ASCII text
boot.img-zImage: gzip compressed data, max compression, from Unix
其中内核文件boot.img-zImage,根目录文件boot.img-ramdisk.gz,设备树在内核文件中,recovery的设备树是boot.img-dtb,cmdline是boot.img-cmdline。
1.1、内核boot.img-zImage分析
- cp boot.img-zImage zImage.gz重命名
- gzip -d zImage.gz解压
得到的zImage是MS-DOS executable, MZ for MS-DOS格式文件, Beyong Compare对比可以看到zImage就是源码编译出的obj\KERNEL_OBJ\arch\arm64\boot\zImage,它是vmlinux通过编译工具objcopy去掉调试信息后的二进制文件。源码编译时是使用工具mpgen.py。可以访问linux kernel编译产生的vmlinux Image zImage之间的关系_潘振杰的博客-CSDN博客_kernel编译完后只有vmlinux查看kernel怎么生成的。(与android的boot.img稍有不同)
这里要对内核反汇编,相关知识比较弱的建议先看下相关blog并动手尝试,下面两个博客有不少分析可执行文件的工具。
逆向与反汇编工具 - mull - 博客园
ELF文件-逆向工具_ToTHotSpur的博客-CSDN博客_elf 逆向
描述了ELF文件结构。
https://blog.csdn.net/abc_12366/article/details/88205670
执行反汇编命令,解析vmlinux:
readelf -hlSVAI vmlinux(-r/s参数内容多,谨慎使用)
aarch64-linux-androidkernel-objdump -afphG vmlinux (-D/d/S/s/x参数内容太多,谨慎使用)
Linux下利用objdump查看文件空间地址分布 - jrglinux - 博客园
readelf -S vmlinux
ELF Header:Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00Class: ELF64Data: 2's complement, little endianVersion: 1 (current)OS/ABI: UNIX - System VABI Version: 0Type: DYN (Shared object file)Machine: AArch64Version: 0x1Entry point address: 0xffffff8008080000Start of program headers: 64 (bytes into file)Start of section headers: 273510912 (bytes into file)Flags: 0x0Size of this header: 64 (bytes)Size of program headers: 56 (bytes)Number of program headers: 4Size of section headers: 64 (bytes)Number of section headers: 42Section header string table index: 39Section Headers:[Nr] Name Type Address OffsetSize EntSize Flags Link Info Align[ 0] NULL 0000000000000000 000000000000000000000000 0000000000000000 0 0 0[ 1] .head.text PROGBITS ffffff8008080000 000100000000000000001000 0000000000000000 AX 0 0 4096[ 2] .text PROGBITS ffffff8008081000 0001100000000000010c36d8 0000000000000008 AX 0 0 2048[ 3] .rodata PROGBITS ffffff8009200000 0110000000000000006afc25 0000000000000000 WA 0 0 1048576[ 4] .eh_frame PROGBITS ffffff80098afc28 017afc280000000000000048 0000000000000000 A 0 0 8[ 5] __bug_table PROGBITS ffffff80098afc70 017afc7000000000000190e0 0000000000000000 A 0 0 4[ 6] __ksymtab PROGBITS ffffff80098c8d50 017c8d500000000000016700 0000000000000000 A 0 0 8[ 7] __ksymtab_gpl PROGBITS ffffff80098df450 017df4500000000000010580 0000000000000000 A 0 0 8[ 8] __kcrctab PROGBITS ffffff80098ef9d0 017ef9d0000000000000b380 0000000000000000 A 0 0 8[ 9] __kcrctab_gpl PROGBITS ffffff80098fad50 017fad5000000000000082c0 0000000000000000 A 0 0 8[10] __ksymtab_strings PROGBITS ffffff8009903010 01803010000000000002ff08 0000000000000000 A 0 0 1[11] __param PROGBITS ffffff8009932f18 01832f180000000000004f60 0000000000000000 A 0 0 8[12] __modver PROGBITS ffffff8009937e78 01837e780000000000000188 0000000000000000 A 0 0 8[13] __ex_table PROGBITS ffffff8009938000 018380000000000000004c48 0000000000000000 A 0 0 8[14] .notes NOTE ffffff800993cc48 0183cc480000000000000024 0000000000000000 A 0 0 4[15] .init.text PROGBITS ffffff8009940000 01840000000000000007561c 0000000000000000 AX 0 0 16[16] .exit.text PROGBITS ffffff80099b561c 018b561c0000000000006654 0000000000000000 AX 0 0 4[17] .init.data PROGBITS ffffff80099bbd00 018bbd000000000000114de8 0000000000000000 WA 0 0 256[18] .data..percpu PROGBITS ffffff8009ad1000 019d1000000000000000db28 0000000000000000 WA 0 0 128[19] .altinstructions PROGBITS ffffff8009adeb28 019deb28000000000001de8c 0000000000000000 A 0 0 1[20] .altinstr_replace PROGBITS ffffff8009afc9b4 019fc9b4000000000000a3b8 0000000000000000 AX 0 0 4[21] .rela RELA ffffff8009b06d70 01a06d700000000000484d70 0000000000000018 A 0 0 8[22] .data PROGBITS ffffff8009f90000 01e900000000000000237e08 0000000000000000 WA 0 0 4096[23] .got.plt PROGBITS ffffff800a1c7e08 020c7e080000000000000018 0000000000000008 WA 0 0 8[24] .bss_rtic PROGBITS ffffff800a1c8000 020c80000000000000001004 0000000000000000 WA 0 0 4096[25] __clk_of_table_en PROGBITS ffffff800a1c9008 020c900800000000000000c8 0000000000000000 WA 0 0 8[26] .mmuoff.data.writ PROGBITS ffffff800a1c9800 020c98000000000000000014 0000000000000000 WA 0 0 2048[27] .mmuoff.data.read PROGBITS ffffff800a1ca000 020ca0000000000000000008 0000000000000000 WA 0 0 8[28] .pecoff_edata_pad PROGBITS ffffff800a1ca008 020ca00800000000000001f8 0000000000000000 WA 0 0 1[29] .bss NOBITS ffffff800a1cb000 020ca20000000000009b6038 0000000000000000 WA 0 0 4096[30] .comment PROGBITS 0000000000000000 020ca2000000000000000027 0000000000000001 MS 0 0 1[31] .debug_line PROGBITS 0000000000000000 020ca2270000000000db311b 0000000000000000 0 0 1[32] .debug_info PROGBITS 0000000000000000 02e7d342000000000a65870b 0000000000000000 0 0 1[33] .debug_abbrev PROGBITS 0000000000000000 0d4d5a4d00000000003a8243 0000000000000000 0 0 1[34] .debug_aranges PROGBITS 0000000000000000 0d87dc9000000000000294e0 0000000000000000 0 0 16[35] .debug_ranges PROGBITS 0000000000000000 0d8a71700000000000961e50 0000000000000000 0 0 16[36] .debug_frame PROGBITS 0000000000000000 0e208fc0000000000031e220 0000000000000000 0 0 8[37] .debug_str PROGBITS 0000000000000000 0e5271e00000000000454737 0000000000000001 MS 0 0 1[38] .debug_loc PROGBITS 0000000000000000 0e97b9170000000001403166 0000000000000000 0 0 1[39] .shstrtab STRTAB 0000000000000000 104d702100000000000001da 0000000000000000 0 0 1[40] .symtab SYMTAB 0000000000000000 0fd7ea800000000000473820 0000000000000018 41 159880 8[41] .strtab STRTAB 0000000000000000 101f22a000000000002e4d81 0000000000000000 0 0 1Key to Flags:W (write), A (alloc), X (execute), M (merge), S (strings)I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown)O (extra OS processing required) o (OS specific), p (processor specific)Program Headers:Type Offset VirtAddr PhysAddrFileSiz MemSiz Flags AlignLOAD 0x0000000000010000 0xffffff8008080000 0xffffff80080800000x00000000010c46d8 0x00000000010c46d8 R E 10000LOAD 0x0000000001100000 0xffffff8009200000 0xffffff80092000000x0000000000fca200 0x0000000001981038 RWE 10000NOTE 0x000000000183cc48 0xffffff800993cc48 0xffffff800993cc480x0000000000000024 0x0000000000000024 R 4GNU_STACK 0x0000000000000000 0x0000000000000000 0x00000000000000000x0000000000000000 0x0000000000000000 RW 10Section to Segment mapping:Segment Sections...00 .head.text .text01 .rodata .eh_frame __bug_table __ksymtab __ksymtab_gpl __kcrctab __kcrctab_gpl __ksymtab_strings __param __modver __ex_table .notes .init.text .exit.text .init.data .data..percpu .altinstructions .altinstr_replacement .rela .data .got.plt .bss_rtic __clk_of_table_end .mmuoff.data.write .mmuoff.data.read .pecoff_edata_padding .bss02 .notes03 No version information found in this file.
aarch64-linux-androidkernel-objdump -afp vmlinux
vmlinux: file format elf64-littleaarch64vmlinuxarchitecture: aarch64, flags 0x00000150:HAS_SYMS, DYNAMIC, D_PAGEDstart address 0xffffff8008080000Program Header:LOAD off 0x0000000000010000 vaddr 0xffffff8008080000 paddr 0xffffff8008080000 align 2**16filesz 0x00000000010c46d8 memsz 0x00000000010c46d8 flags r-xLOAD off 0x0000000001100000 vaddr 0xffffff8009200000 paddr 0xffffff8009200000 align 2**16filesz 0x0000000000fca200 memsz 0x0000000001981038 flags rwxNOTE off 0x000000000183cc48 vaddr 0xffffff800993cc48 paddr 0xffffff800993cc48 align 2**2filesz 0x0000000000000024 memsz 0x0000000000000024 flags r--STACK off 0x0000000000000000 vaddr 0x0000000000000000 paddr 0x0000000000000000 align 2**4filesz 0x0000000000000000 memsz 0x0000000000000000 flags rw-private flags = 0:Sections:Idx Name Size VMA LMA File off Algn0 .head.text 00001000 ffffff8008080000 ffffff8008080000 00010000 2**12CONTENTS, ALLOC, LOAD, READONLY, CODE1 .text 010c36d8 ffffff8008081000 ffffff8008081000 00011000 2**11CONTENTS, ALLOC, LOAD, READONLY, CODE2 .rodata 006afc25 ffffff8009200000 ffffff8009200000 01100000 2**20CONTENTS, ALLOC, LOAD, DATA3 .eh_frame 00000048 ffffff80098afc28 ffffff80098afc28 017afc28 2**3CONTENTS, ALLOC, LOAD, READONLY, DATA4 __bug_table 000190e0 ffffff80098afc70 ffffff80098afc70 017afc70 2**2CONTENTS, ALLOC, LOAD, READONLY, DATA5 __ksymtab 00016700 ffffff80098c8d50 ffffff80098c8d50 017c8d50 2**3CONTENTS, ALLOC, LOAD, READONLY, DATA6 __ksymtab_gpl 00010580 ffffff80098df450 ffffff80098df450 017df450 2**3CONTENTS, ALLOC, LOAD, READONLY, DATA7 __kcrctab 0000b380 ffffff80098ef9d0 ffffff80098ef9d0 017ef9d0 2**3CONTENTS, ALLOC, LOAD, READONLY, DATA8 __kcrctab_gpl 000082c0 ffffff80098fad50 ffffff80098fad50 017fad50 2**3CONTENTS, ALLOC, LOAD, READONLY, DATA9 __ksymtab_strings 0002ff08 ffffff8009903010 ffffff8009903010 01803010 2**0CONTENTS, ALLOC, LOAD, READONLY, DATA10 __param 00004f60 ffffff8009932f18 ffffff8009932f18 01832f18 2**3CONTENTS, ALLOC, LOAD, READONLY, DATA11 __modver 00000188 ffffff8009937e78 ffffff8009937e78 01837e78 2**3CONTENTS, ALLOC, LOAD, READONLY, DATA12 __ex_table 00004c48 ffffff8009938000 ffffff8009938000 01838000 2**3CONTENTS, ALLOC, LOAD, READONLY, DATA13 .notes 00000024 ffffff800993cc48 ffffff800993cc48 0183cc48 2**2CONTENTS, ALLOC, LOAD, READONLY, DATA14 .init.text 0007561c ffffff8009940000 ffffff8009940000 01840000 2**4CONTENTS, ALLOC, LOAD, READONLY, CODE15 .exit.text 00006654 ffffff80099b561c ffffff80099b561c 018b561c 2**2CONTENTS, ALLOC, LOAD, READONLY, CODE16 .init.data 00114de8 ffffff80099bbd00 ffffff80099bbd00 018bbd00 2**8CONTENTS, ALLOC, LOAD, DATA17 .data..percpu 0000db28 ffffff8009ad1000 ffffff8009ad1000 019d1000 2**7CONTENTS, ALLOC, LOAD, DATA18 .altinstructions 0001de8c ffffff8009adeb28 ffffff8009adeb28 019deb28 2**0CONTENTS, ALLOC, LOAD, READONLY, DATA19 .altinstr_replacement 0000a3b8 ffffff8009afc9b4 ffffff8009afc9b4 019fc9b4 2**2CONTENTS, ALLOC, LOAD, READONLY, CODE20 .rela 00484d70 ffffff8009b06d70 ffffff8009b06d70 01a06d70 2**3CONTENTS, ALLOC, LOAD, READONLY, DATA21 .data 00237e08 ffffff8009f90000 ffffff8009f90000 01e90000 2**12CONTENTS, ALLOC, LOAD, DATA22 .got.plt 00000018 ffffff800a1c7e08 ffffff800a1c7e08 020c7e08 2**3CONTENTS, ALLOC, LOAD, DATA23 .bss_rtic 00001004 ffffff800a1c8000 ffffff800a1c8000 020c8000 2**12CONTENTS, ALLOC, LOAD, DATA24 __clk_of_table_end 000000c8 ffffff800a1c9008 ffffff800a1c9008 020c9008 2**3CONTENTS, ALLOC, LOAD, DATA25 .mmuoff.data.write 00000014 ffffff800a1c9800 ffffff800a1c9800 020c9800 2**11CONTENTS, ALLOC, LOAD, DATA26 .mmuoff.data.read 00000008 ffffff800a1ca000 ffffff800a1ca000 020ca000 2**3CONTENTS, ALLOC, LOAD, DATA27 .pecoff_edata_padding 000001f8 ffffff800a1ca008 ffffff800a1ca008 020ca008 2**0CONTENTS, ALLOC, LOAD, DATA28 .bss 009b6038 ffffff800a1cb000 ffffff800a1cb000 020ca200 2**12ALLOC29 .comment 00000027 0000000000000000 0000000000000000 020ca200 2**0CONTENTS, READONLY30 .debug_line 00db311b 0000000000000000 0000000000000000 020ca227 2**0CONTENTS, READONLY, DEBUGGING31 .debug_info 0a65870b 0000000000000000 0000000000000000 02e7d342 2**0CONTENTS, READONLY, DEBUGGING32 .debug_abbrev 003a8243 0000000000000000 0000000000000000 0d4d5a4d 2**0CONTENTS, READONLY, DEBUGGING33 .debug_aranges 000294e0 0000000000000000 0000000000000000 0d87dc90 2**4CONTENTS, READONLY, DEBUGGING34 .debug_ranges 00961e50 0000000000000000 0000000000000000 0d8a7170 2**4CONTENTS, READONLY, DEBUGGING35 .debug_frame 0031e220 0000000000000000 0000000000000000 0e208fc0 2**3CONTENTS, READONLY, DEBUGGING36 .debug_str 00454737 0000000000000000 0000000000000000 0e5271e0 2**0CONTENTS, READONLY, DEBUGGING37 .debug_loc 01403166 0000000000000000 0000000000000000 0e97b917 2**0CONTENTS, READONLY, DEBUGGING
内容结构可以访问https://blog.csdn.net/abc_12366/article/details/88205670,为直观体现执行文件里面数据的意义,先找入口函数start_kernel()位置,下面博客有两种方法反汇编指定函数。
Linux下反汇编指定的函数_zuxi的博客-CSDN博客
kernel入口函数start_kernel()反汇编如下,可以对比源码中kernel/init/main.c的start_kernel()中内容。
nm -n vmlinux |grep -A1 "start_kernel"
ffffff8008095378 T secondary_start_kernelffffff8008095594 T __cpu_disable--ffffff80099408a8 T start_kernelffffff8009940cb4 t kernel_init_freeable
aarch64-linux-androidkernel-objdump -d vmlinux --start-address=0xffffff80099408a8 --stop-address=0xffffff8009940cb4
vmlinux: file format elf64-littleaarch64Disassembly of section .init.text:ffffff80099408a8 <start_kernel>:ffffff80099408a8: a9b97bfd stp x29, x30, [sp,#-112]!ffffff80099408ac: f0003380 adrp x0, ffffff8009fb3000 <argv_init>ffffff80099408b0: 910003fd mov x29, spffffff80099408b4: a90363f7 stp x23, x24, [sp,#48]ffffff80099408b8: f00032f8 adrp x24, ffffff8009f9f000 <xt_connlimit_locks+0xc00>ffffff80099408bc: 91120000 add x0, x0, #0x480ffffff80099408c0: a90153f3 stp x19, x20, [sp,#16]ffffff80099408c4: a9025bf5 stp x21, x22, [sp,#32]ffffff80099408c8: f9460701 ldr x1, [x24,#3080]ffffff80099408cc: f90037a1 str x1, [x29,#104]ffffff80099408d0: f90023f9 str x25, [sp,#64]ffffff80099408d4: 979dc255 bl ffffff80080b1228 <set_task_stack_end_magic>ffffff80099408d8: 94000dc7 bl ffffff8009943ff4 <smp_setup_processor_id>ffffff80099408dc: 9400d951 bl ffffff8009976e20 <debug_objects_early_init>ffffff80099408e0: 9400637a bl ffffff80099596c8 <cgroup_init_early>ffffff80099408e4: d50342df msr daifset, #0x2ffffff80099408e8: f00032f6 adrp x22, ffffff8009f9f000 <xt_connlimit_locks+0xc00>ffffff80099408ec: 97a1e434 bl ffffff80081b99bc <trace_hardirqs_off>ffffff80099408f0: 52800020 mov w0, #0x1 // #1ffffff80099408f4: f00003d4 adrp x20, ffffff80099bb000 <masquerade_tg_exit+0x10>ffffff80099408f8: 91340294 add x20, x20, #0xd00ffffff80099408fc: d0004475 adrp x21, ffffff800a1ce000 <reset_devices>ffffff8009940900: 393002c0 strb w0, [x22,#3072]ffffff8009940904: 94003b72 bl ffffff800994f6cc <boot_cpu_init>ffffff8009940908: 90ffc601 adrp x1, ffffff8009200000 <__start_rodata>ffffff800994090c: 90ffe740 adrp x0, ffffff8009628000 <kallsyms_token_index>ffffff8009940910: 91026021 add x1, x1, #0x98ffffff8009940914: 910fc000 add x0, x0, #0x3f0ffffff8009940918: 9120e294 add x20, x20, #0x838ffffff800994091c: 910002b7 add x23, x21, #0x0ffffff8009940920: 97a2c471 bl ffffff80081f1ae4 <printk>ffffff8009940924: aa1803f3 mov x19, x24ffffff8009940928: 910163a0 add x0, x29, #0x58ffffff800994092c: 94000dc7 bl ffffff8009944048 <setup_arch>ffffff8009940930: 52800101 mov w1, #0x8 // #8ffffff8009940934: 910183a0 add x0, x29, #0x60ffffff8009940938: 97b63acb bl ffffff80086cf464 <get_random_bytes>ffffff800994093c: f94033a1 ldr x1, [x29,#96]ffffff8009940940: d2812e00 mov x0, #0x970 // #2416ffffff8009940944: f2a00080 movk x0, #0x4, lsl #16ffffff8009940948: ca000020 eor x0, x1, x0ffffff800994094c: 9278dc01 and x1, x0, #0xffffffffffffff00ffffff8009940950: f9060701 str x1, [x24,#3080]ffffff8009940954: d5384102 mrs x2, sp_el0ffffff8009940958: f9034441 str x1, [x2,#1672]ffffff800994095c: f0003501 adrp x1, ffffff8009fe3000 <vmpressure_notifier+0x20>ffffff8009940960: aa1403e0 mov x0, x20ffffff8009940964: f9019c3f str xzr, [x1,#824]ffffff8009940968: 97ad261e bl ffffff800848a1e0 <__efistub_strlen>ffffff800994096c: d2800001 mov x1, #0x0 // #0ffffff8009940970: d2800002 mov x2, #0x0 // #0ffffff8009940974: d2800003 mov x3, #0x0 // #0ffffff8009940978: 12800004 mov w4, #0xffffffff // #-1ffffff800994097c: 91000400 add x0, x0, #0x1ffffff8009940980: f9402fb8 ldr x24, [x29,#88]ffffff8009940984: 94009058 bl ffffff8009964ae4 <memblock_virt_alloc_try_nid>ffffff8009940988: f90016e0 str x0, [x23,#40]ffffff800994098c: aa1403e0 mov x0, x20ffffff8009940990: 97ad2614 bl ffffff800848a1e0 <__efistub_strlen>ffffff8009940994: 91000400 add x0, x0, #0x1ffffff8009940998: d2800001 mov x1, #0x0 // #0ffffff800994099c: d2800002 mov x2, #0x0 // #0ffffff80099409a0: d2800003 mov x3, #0x0 // #0ffffff80099409a4: 12800004 mov w4, #0xffffffff // #-1ffffff80099409a8: 9400904f bl ffffff8009964ae4 <memblock_virt_alloc_try_nid>ffffff80099409ac: f9001ae0 str x0, [x23,#48]ffffff80099409b0: aa1803e0 mov x0, x24ffffff80099409b4: 97ad260b bl ffffff800848a1e0 <__efistub_strlen>ffffff80099409b8: 91000400 add x0, x0, #0x1ffffff80099409bc: d2800002 mov x2, #0x0 // #0ffffff80099409c0: d2800003 mov x3, #0x0 // #0ffffff80099409c4: 12800004 mov w4, #0xffffffff // #-1ffffff80099409c8: d2800001 mov x1, #0x0 // #0ffffff80099409cc: 94009046 bl ffffff8009964ae4 <memblock_virt_alloc_try_nid>ffffff80099409d0: aa0003f9 mov x25, x0ffffff80099409d4: f94016e0 ldr x0, [x23,#40]ffffff80099409d8: aa1403e1 mov x1, x20ffffff80099409dc: f9001ef9 str x25, [x23,#56]ffffff80099409e0: 97ad5468 bl ffffff8008495b80 <strcpy>ffffff80099409e4: aa1803e1 mov x1, x24ffffff80099409e8: aa1903e0 mov x0, x25ffffff80099409ec: 97ad5465 bl ffffff8008495b80 <strcpy>ffffff80099409f0: 940060c6 bl ffffff8009958d08 <setup_nr_cpu_ids>ffffff80099409f4: 940083bf bl ffffff80099618f0 <setup_per_cpu_areas>ffffff80099409f8: 94003b4d bl ffffff800994f72c <boot_cpu_state_init>ffffff80099409fc: 9400128d bl ffffff8009945430 <smp_prepare_boot_cpu>ffffff8009940a00: d2800000 mov x0, #0x0 // #0ffffff8009940a04: d2800001 mov x1, #0x0 // #0ffffff8009940a08: 97dfce2e bl ffffff80091342c0 <build_all_zonelists>ffffff8009940a0c: 940079c0 bl ffffff800995f10c <page_alloc_init>ffffff8009940a10: 90ffe740 adrp x0, ffffff8009628000 <kallsyms_token_index>ffffff8009940a14: aa1403e1 mov x1, x20ffffff8009940a18: 910fe000 add x0, x0, #0x3f8ffffff8009940a1c: 97a2c432 bl ffffff80081f1ae4 <printk>ffffff8009940a20: 97ffff84 bl ffffff8009940830 <parse_early_param>ffffff8009940a24: d0ffff82 adrp x2, ffffff8009932000 <__kstrtab_sctp_for_each_endpoint+0x2>ffffff8009940a28: f0ffffa3 adrp x3, ffffff8009937000 <__param_debug_mask+0x10>ffffff8009940a2c: 913c6042 add x2, x2, #0xf18ffffff8009940a30: 9139e063 add x3, x3, #0xe78ffffff8009940a34: cb020063 sub x3, x3, x2ffffff8009940a38: b202e7e0 mov x0, #0xcccccccccccccccc // #-3689348814741910324ffffff8009940a3c: 9343fc63 asr x3, x3, #3ffffff8009940a40: 12800004 mov w4, #0xffffffff // #-1ffffff8009940a44: f9401ee1 ldr x1, [x23,#56]ffffff8009940a48: 90000007 adrp x7, ffffff8009940000 <stext>ffffff8009940a4c: 1b030c03 madd w3, w0, w3, w3ffffff8009940a50: 90ffe740 adrp x0, ffffff8009628000 <kallsyms_token_index>ffffff8009940a54: 2a0403e5 mov w5, w4ffffff8009940a58: 91106000 add x0, x0, #0x418ffffff8009940a5c: d2800006 mov x6, #0x0 // #0ffffff8009940a60: 911520e7 add x7, x7, #0x548ffffff8009940a64: 979e7f22 bl ffffff80080e06ec <parse_args>ffffff8009940a68: aa0003e1 mov x1, x0ffffff8009940a6c: b4000060 cbz x0, ffffff8009940a78 <start_kernel+0x1d0>ffffff8009940a70: b140041f cmn x0, #0x1, lsl #12ffffff8009940a74: 54000fe9 b.ls ffffff8009940c70 <start_kernel+0x3c8>ffffff8009940a78: 913002c1 add x1, x22, #0xc00ffffff8009940a7c: 52800022 mov w2, #0x1 // #1ffffff8009940a80: 52800000 mov w0, #0x0 // #0ffffff8009940a84: 39000422 strb w2, [x1,#1]ffffff8009940a88: 940055ce bl ffffff80099561c0 <setup_log_buf>ffffff8009940a8c: 94003f3b bl ffffff8009950778 <pidhash_init>ffffff8009940a90: 94009ce4 bl ffffff8009967e20 <vfs_caches_init_early>ffffff8009940a94: 94003f98 bl ffffff80099508f4 <sort_main_extable>ffffff8009940a98: 94000f39 bl ffffff800994477c <trap_init>ffffff8009940a9c: 94001b11 bl ffffff80099476e0 <mem_init>ffffff8009940aa0: 940093c9 bl ffffff80099659c4 <kmem_cache_init>ffffff8009940aa4: 940083c2 bl ffffff80099619ac <percpu_init_late>ffffff8009940aa8: 94008a80 bl ffffff80099634a8 <ptlock_cache_init>ffffff8009940aac: 94001bd1 bl ffffff80099479f0 <pgd_cache_init>ffffff8009940ab0: 94008b2b bl ffffff800996375c <vmalloc_init>ffffff8009940ab4: 9400d7da bl ffffff8009976a1c <ioremap_huge_init>ffffff8009940ab8: 940050bd bl ffffff8009954dac <sched_init>ffffff8009940abc: 52800020 mov w0, #0x1 // #1ffffff8009940ac0: 979ec496 bl ffffff80080f1d18 <preempt_count_add>ffffff8009940ac4: d53b4220 mrs x0, daifffffff8009940ac8: 373800e0 tbnz w0, #7, ffffff8009940ae4 <start_kernel+0x23c>ffffff8009940acc: 90ffe740 adrp x0, ffffff8009628000 <kallsyms_token_index>ffffff8009940ad0: 9110a000 add x0, x0, #0x428ffffff8009940ad4: 97a2c404 bl ffffff80081f1ae4 <printk>ffffff8009940ad8: d4210000 brk #0x800ffffff8009940adc: d50342df msr daifset, #0x2ffffff8009940ae0: 97a1e3b7 bl ffffff80081b99bc <trace_hardirqs_off>ffffff8009940ae4: 9400d7bc bl ffffff80099769d4 <idr_init_cache>ffffff8009940ae8: 940058c2 bl ffffff8009956df0 <rcu_init>ffffff8009940aec: 940069ff bl ffffff800995b2e8 <trace_init>ffffff8009940af0: 9400d7e7 bl ffffff8009976a8c <radix_tree_init>ffffff8009940af4: 940056bc bl ffffff80099565e4 <early_irq_init>ffffff8009940af8: 94000ca3 bl ffffff8009943d84 <init_IRQ>ffffff8009940afc: 94005ecb bl ffffff8009958628 <tick_init>ffffff8009940b00: 94005965 bl ffffff8009957094 <rcu_init_nohz>ffffff8009940b04: 94005b64 bl ffffff8009957894 <init_timers>ffffff8009940b08: 94005bb9 bl ffffff80099579ec <hrtimers_init>ffffff8009940b0c: 94003b6b bl ffffff800994f8b8 <softirq_init>ffffff8009940b10: 94005ccb bl ffffff8009957e3c <timekeeping_init>ffffff8009940b14: 94000eeb bl ffffff80099446c0 <time_init>ffffff8009940b18: 94005f75 bl ffffff80099588ec <sched_clock_postinit>ffffff8009940b1c: 940075d5 bl ffffff800995e270 <perf_event_init>ffffff8009940b20: 97dfcdbb bl ffffff800913420c <profile_init>ffffff8009940b24: 9400603f bl ffffff8009958c20 <call_function_init>ffffff8009940b28: d53b4220 mrs x0, daifffffff8009940b2c: 373800a0 tbnz w0, #7, ffffff8009940b40 <start_kernel+0x298>ffffff8009940b30: 90ffe740 adrp x0, ffffff8009628000 <kallsyms_token_index>ffffff8009940b34: 91118000 add x0, x0, #0x460ffffff8009940b38: 97a2c3eb bl ffffff80081f1ae4 <printk>ffffff8009940b3c: d4210000 brk #0x800ffffff8009940b40: 393002df strb wzr, [x22,#3072]ffffff8009940b44: 97a1e654 bl ffffff80081ba494 <trace_hardirqs_on>ffffff8009940b48: d50342ff msr daifclr, #0x2ffffff8009940b4c: 910002b5 add x21, x21, #0x0ffffff8009940b50: 940093e7 bl ffffff8009965aec <kmem_cache_init_late>ffffff8009940b54: 9400ff6c bl ffffff8009980904 <console_init>ffffff8009940b58: f9400ea1 ldr x1, [x21,#24]ffffff8009940b5c: b40000a1 cbz x1, ffffff8009940b70 <start_kernel+0x2c8>ffffff8009940b60: 90ffe740 adrp x0, ffffff8009628000 <kallsyms_token_index>ffffff8009940b64: f94012a2 ldr x2, [x21,#32]ffffff8009940b68: 91120000 add x0, x0, #0x480ffffff8009940b6c: 97a2c21d bl ffffff80081f13e0 <panic>ffffff8009940b70: d0004474 adrp x20, ffffff800a1ce000 <reset_devices>ffffff8009940b74: f9404281 ldr x1, [x20,#128]ffffff8009940b78: b4000301 cbz x1, ffffff8009940bd8 <start_kernel+0x330>ffffff8009940b7c: d0004460 adrp x0, ffffff800a1ce000 <reset_devices>ffffff8009940b80: b9407400 ldr w0, [x0,#116]ffffff8009940b84: 350002a0 cbnz w0, ffffff8009940bd8 <start_kernel+0x330>ffffff8009940b88: 90fffb22 adrp x2, ffffff80098a4000 <kallsyms_token_index+0x27c000>ffffff8009940b8c: d34c9421 ubfx x1, x1, #12, #26ffffff8009940b90: d2dff7e0 mov x0, #0xffbf00000000 // #281195803836416ffffff8009940b94: aa0003e4 mov x4, x0ffffff8009940b98: f2ffffe0 movk x0, #0xffff, lsl #48ffffff8009940b9c: f9418843 ldr x3, [x2,#784]ffffff8009940ba0: aa011800 orr x0, x0, x1, lsl #6ffffff8009940ba4: f00045e1 adrp x1, ffffff800a1ff000 <vm_committed_as>ffffff8009940ba8: f2ffffe4 movk x4, #0xffff, lsl #48ffffff8009940bac: 934cfc63 asr x3, x3, #12ffffff8009940bb0: f9417c22 ldr x2, [x1,#760]ffffff8009940bb4: cb031881 sub x1, x4, x3, lsl #6ffffff8009940bb8: cb010001 sub x1, x0, x1ffffff8009940bbc: 9346fc21 asr x1, x1, #6ffffff8009940bc0: eb02003f cmp x1, x2ffffff8009940bc4: 540000a2 b.cs ffffff8009940bd8 <start_kernel+0x330>ffffff8009940bc8: 90ffe740 adrp x0, ffffff8009628000 <kallsyms_token_index>ffffff8009940bcc: 91128000 add x0, x0, #0x4a0ffffff8009940bd0: 97a2c3c5 bl ffffff80081f1ae4 <printk>ffffff8009940bd4: f900429f str xzr, [x20,#128]ffffff8009940bd8: 94009abe bl ffffff80099676d0 <page_ext_init>ffffff8009940bdc: 9400d8bc bl ffffff8009976ecc <debug_objects_mem_init>ffffff8009940be0: 94009572 bl ffffff80099661a8 <kmemleak_init>ffffff8009940be4: 9400784f bl ffffff800995ed20 <setup_per_cpu_pageset>ffffff8009940be8: 900003e0 adrp x0, ffffff80099bc000 <tmp_cmdline.49267+0x2c8>ffffff8009940bec: f9469c00 ldr x0, [x0,#3384]ffffff8009940bf0: b4000040 cbz x0, ffffff8009940bf8 <start_kernel+0x350>ffffff8009940bf4: d63f0000 blr x0ffffff8009940bf8: 979ef6fc bl ffffff80080fe7e8 <sched_clock_init>ffffff8009940bfc: 979d100e bl ffffff8008084c34 <calibrate_delay>ffffff8009940c00: 94003eff bl ffffff80099507fc <pidmap_init>ffffff8009940c04: 94008a5b bl ffffff8009963570 <anon_vma_init>ffffff8009940c08: 97ffff27 bl ffffff80099408a4 <thread_stack_cache_init>ffffff8009940c0c: 94004043 bl ffffff8009950d18 <cred_init>ffffff8009940c10: 9400387c bl ffffff800994ee00 <fork_init>ffffff8009940c14: 940038b7 bl ffffff800994eef0 <proc_caches_init>ffffff8009940c18: 9400a241 bl ffffff800996951c <buffer_init>ffffff8009940c1c: 9400caf5 bl ffffff80099737f0 <key_init>ffffff8009940c20: 9400cb70 bl ffffff80099739e0 <security_init>ffffff8009940c24: 94009ca1 bl ffffff8009967ea8 <vfs_caches_init>ffffff8009940c28: 94003d43 bl ffffff8009950134 <signals_init>ffffff8009940c2c: 940079d0 bl ffffff800995f36c <page_writeback_init>ffffff8009940c30: 9400a67e bl ffffff800996a628 <proc_root_init>ffffff8009940c34: 9400a227 bl ffffff80099694d0 <nsfs_init>ffffff8009940c38: 94006416 bl ffffff8009959c90 <cpuset_init>ffffff8009940c3c: 940062f3 bl ffffff8009959808 <cgroup_init>ffffff8009940c40: 94006629 bl ffffff800995a4e4 <taskstats_init_early>ffffff8009940c44: 97a16c44 bl ffffff800819bd54 <delayacct_init>ffffff8009940c48: f0003320 adrp x0, ffffff8009fa7000 <ehci_platform_hc_driver+0xe8>ffffff8009940c4c: 910f8000 add x0, x0, #0x3e0ffffff8009940c50: f940a000 ldr x0, [x0,#320]ffffff8009940c54: 9400673f bl ffffff800995a950 <ftrace_init>ffffff8009940c58: 97dfca03 bl ffffff8009133464 <rest_init>ffffff8009940c5c: f94037a1 ldr x1, [x29,#104]ffffff8009940c60: f9460660 ldr x0, [x19,#3080]ffffff8009940c64: eb00003f cmp x1, x0ffffff8009940c68: 540001a0 b.eq ffffff8009940c9c <start_kernel+0x3f4>ffffff8009940c6c: 979dcee3 bl ffffff80080b47f8 <__stack_chk_fail>ffffff8009940c70: 12800004 mov w4, #0xffffffff // #-1ffffff8009940c74: 90ffe740 adrp x0, ffffff8009628000 <kallsyms_token_index>ffffff8009940c78: 90000007 adrp x7, ffffff8009940000 <stext>ffffff8009940c7c: d2800002 mov x2, #0x0 // #0ffffff8009940c80: 52800003 mov w3, #0x0 // #0ffffff8009940c84: 2a0403e5 mov w5, w4ffffff8009940c88: d2800006 mov x6, #0x0 // #0ffffff8009940c8c: 911c80e7 add x7, x7, #0x720ffffff8009940c90: 91138000 add x0, x0, #0x4e0ffffff8009940c94: 979e7e96 bl ffffff80080e06ec <parse_args>ffffff8009940c98: 17ffff78 b ffffff8009940a78 <start_kernel+0x1d0>ffffff8009940c9c: a94153f3 ldp x19, x20, [sp,#16]ffffff8009940ca0: a9425bf5 ldp x21, x22, [sp,#32]ffffff8009940ca4: a94363f7 ldp x23, x24, [sp,#48]ffffff8009940ca8: f94023f9 ldr x25, [sp,#64]ffffff8009940cac: a8c77bfd ldp x29, x30, [sp],#112ffffff8009940cb0: d65f03c0 ret
真实数据位置偏移根据前面信息计算(NOTE off 0x000000000183cc48 vaddr 0xffffff800993cc48)
0x18408a8=0x99408a8-0x0x8100000
可以使用hexdump以16进制读取可执行文件,对比反汇编的机器码。
hexdump -s 0x18408a8 -n 1024 vmlinux
18408a8 7bfd a9b9 3380 f000 03fd 9100 63f7 a90318408b8 32f8 f000 0000 9112 53f3 a901 5bf5 a90218408c8 0701 f946 37a1 f900 23f9 f900 c255 979d18408d8 0dc7 9400 d951 9400 637a 9400 42df d50318408e8 32f6 f000 e434 97a1 0020 5280 03d4 f00018408f8 0294 9134 4475 d000 02c0 3930 3b72 94001840908 c601 90ff e740 90ff 6021 9102 c000 910f1840918 e294 9120 02b7 9100 c471 97a2 03f3 aa181840928 63a0 9101 0dc7 9400 0101 5280 83a0 91011840938 3acb 97b6 33a1 f940 2e00 d281 0080 f2a0
这里以反汇编方式找到boot.img中内核入口start_kernel代码的反汇编机器码位置,高手可以编辑它,重新打包,关掉相关安全验证(Verify Boot,DM-verity,回滚保护)刷到设备中。汇编是比较老的语言,但是是离机器最近的语言,玩软件破解和加密应该熟悉。就算不玩破解,知道点反汇编对于代码和程序的理解也会不同。下面是随便找的一个破解例子
Linux下使用objdump+vim+xxd进行反汇编并修改指令
1.2、设备树
unpackbootimg没看到设备树,对比编译出的Image.gz-dtb与Image.gz可以知道,mkbootimg把Image.gz-dtb(设备树)作为kernel制作boot.img的,设备树还在内核解包的zImage中。要获取设备树需要读取其中信息才可分离出来。GITHUB有从内核中解压设备树工具https://github.com/PabloCastellano/extract-dtb
python3 extract-dtb.py kernel
Dumped 00_kernel, start=0 end=12116314Dumped 01_dtbdump_***.dtb, start=12116314 end=12393371Dumped 02_dtbdump_xK`)+-;pw_qK.dtb, start=12393371 end=12393544Extracted 2 appended dtbs + kernel to dtb
dtc -O dts 01_dtbdump_***.dtb -o test0.dts
可以用dtc来分析源码编译出的设备树obj\KERNEL_OBJ\arch\arm64\boot\dts\***.dtb。
dtc -I dtb -O dts obj\KERNEL_OBJ\arch\arm64\boot\dts\***.dtb -o test1.dts
转换成dts格式后,文本编辑器可以直接读。也可比较boot.img解包出的dts、编译的dts两个文件,验证是否一致。
1.3、根目录
- gzip -d boot.img-ramdisk.gz解压缩。
- cpio -i -F boot.img-ramdisk解包。
这样就看到根目录。
内核调试可以使用fastboot boot boot.img命令,boot.img不刷入分区,直接载入ram运行。还可以使用下面参数设置,同时注意下设备安全限制(AVB,防回滚)。
fastboot -h
-c <cmdline> Override kernel commandline.-b, --base <base_addr> Specify a custom kernel baseaddress (default: 0x10000000).--kernel-offset Specify a custom kernel offset.(default: 0x00008000)--ramdisk-offset Specify a custom ramdisk offset.(default: 0x01000000)--tags-offset Specify a custom tags offset.(default: 0x00000100)-n, --page-size <page size> Specify the nand page size(default: 2048).
fastboot boot boot.img
fastboot -c "console=ttyMSM0,115200,n8 androidboot.console=ttyMSM0 androidboot.hardware=qcom msm_rtb.filter=0x237 ehci-hcd.park=3 lpm_levels.sleep_disabled=0 androidboot.bootdevice=7824900.sdhci earlycon=msm_serial_dm,0x78af000 firmware_class.path=/vendor/firmware_mnt/image androidboot.usbconfigfs=true loop.max_part=7 buildvariant=user" -b 0x80000000 boot Z:\boot.img
2、emmc_appsboot.mbn:
bootloader镜像emmc_appsboot.mbn,与zImage一样,可以readelf解析,但不能objdump反汇编。所以我们对编译最后一步sectools.py签名前的文件lk_s.elf进行反汇编。
参照上面vmlinux反编译方式读出关键函数<aboot_init>机器码位置。
aarch64-linux-androidkernel-objdump -d lk_s.elf --start-address=0x8f63f390 --stop-address=0x8f63f8b0
lk_s.elf: file format elf32-littlearmDisassembly of section .text:8f63f390 <aboot_init>:8f63f390: e92d4ff0 push {r4, r5, r6, r7, r8, r9, sl, fp, lr}8f63f394: e28db020 add fp, sp, #328f63f398: e24dd024 sub sp, sp, #36 ; 0x248f63f39c: e3006980 movw r6, #2432 ; 0x9808f63f3a0: e3486f76 movt r6, #36726 ; 0x8f768f63f3a4: e50be030 str lr, [fp, #-48] ; 0xffffffd08f63f3a8: e5963000 ldr r3, [r6]8f63f3ac: e50b3028 str r3, [fp, #-40] ; 0xffffffd88f63f3b0: ebffd709 bl 8f634fdc <target_is_emmc_boot>8f63f3b4: e3500000 cmp r0, #08f63f3b8: 0a00006f beq 8f63f57c <aboot_init+0x1ec>8f63f3bc: ebff4487 bl 8f6105e0 <mmc_page_size>8f63f3c0: e30920d8 movw r2, #37080 ; 0x90d88f63f3c4: e30d33dc movw r3, #54236 ; 0xd3dc8f63f3c8: e3482f75 movt r2, #36725 ; 0x8f758f63f3cc: e3483f74 movt r3, #36724 ; 0x8f74***
LOAD off 0x00008000 vaddr 0x8f600000
0x47390=0x8f63f390 -0x8f600000+0x00008000
hexdump -s 0x47390 -n 1024 lk_s.elf
0047390 4ff0 e92d b020 e28d d024 e24d 6980 e30000473a0 6f76 e348 e030 e50b 3000 e596 3028 e50b00473b0 d709 ebff 0000 e350 006f 0a00 4487 ebff00473c0 20d8 e309 33dc e30d 2f75 e348 3f74 e34800473d0 1001 e240 0000 e582 1000 e583 424c ebff00473e0 20c8 e309 33c8 e30d 2f75 e348 3f74 e34800473f0 1001 e240 0000 e582 1000 e583 0a64 e3000047400 0f71 e348 25f6 eb00 a00d e1a0 ff4f ebff0047410 0a80 e300 0f71 e348 25f1 eb00 0c94 e3090047420 0f72 e348 f3cb ebff 4239 ebff 3086 e2800047430 7000 e1a0 3007 e3c3 0c80 e309 d003 e04d
这里机器码与反汇编码对应上了(android有相关签名验证链,一环套一环,无签名与许可不要尝试修改破解)
3、splash.img:
这个是开机画面镜像,生成工具是logo_gen.py,分析可以转多开机界面适配,多dtbo合入。
4、dtbo.img:
该镜像是设备树叠加层,官网有介绍,源码有mkdtimg工具制作和解析,该镜像只包含设备树叠加层,没有设备树,详细可以看看多开机界面适配,多dtbo合入。
5、mdtp.img:
高通源码直接复制而来,无法分析。
6、vbmeta.img:
用于安全验证,bootloader验证vbmeta的签名,再用vbmeta的key以及hash值验证dtbo/boot/system/vendor。里面格式数据可以访问https://android.googlesource.com/platform/external/avb/+/master/README.md#The-VBMeta-struct,后面的blog刷机相关的Android的安全中会用avbtool生成该镜像。
7、Linux rev 1.0 ext4 filesystem data(persist.img)
文件系统镜像
mkdir test;mount persist.img test;sudo chmod 777 test
8、Android sparse image(system.img、userdata.img、vendor.img):
system.img、userdata.img、vendor.img、persist.img都是sparse压缩文件系统镜像,目的是方便传输/刷机/存储等。想查看内容需先转换为raw格式。现在system和vendor后有追加哈希树。userdata加密后无法挂载。
simg2img system.img system_raw.img;mkdir test;mount system_raw.img test;sudo chmod 777 test
9、Super.img :
super.img是几个只读分区的合并,file读取格式可能为data,android源码有lpunpack工具分解,提示无该命令可以先make lpunpack,
lpunpack super.img
查看服务器编译的system/vendor等sparse格式镜像时,如果挂载失败,可以尝试加只读参数才能来查看:
mount -o ro system_raw.img test;
该系列第二条线就是镜像分析,本博客主要以反汇编方式分析内核镜像。后面几个blog也会分析其他文件。
android刷机方式将分析nonAB的OTA包中system.dat转换、AB的OTA包中payload.bin的转换。
刷机相关的Android的安全中将分析vbmeta,以及avbtool使用。还有如何查看SELinux规则文件,单编SELinux规则文件。
正确的刷机观中分析gpt文件,NV备份。
多开机界面,多设备树叠加层中将分析splash.img和dtbo.img镜像。
如果还有需要解析的镜像,博友可以评论提。
android镜像分析相关推荐
- Android x86镜像分析
这几天学习Android,基于x86平台.先了解一下android的安装过程.在其官方网站上下载了Android的iSO,就解压出来看看,需要说明的是以下的操作都是在root用户下进行的.以下是学习过 ...
- Android 逆向分析大全
转载:Android 逆向分析大全:https://www.jianshu.com/p/a12d04fc748f 1. 概述 1.1 分析步骤 通用逆向分析步骤 1. 了解该模块正向编程相关方法 2. ...
- Android系统性能优化(54)---Android性能分析专题
Android性能分析专题 1. 背景:Android App优化, 要怎么做? 2. Android App优化之性能分析工具 3. Android App优化之提升你的App启动速度之理论基 ...
- 【Autopsy数字取证篇】Autopsy案例创建与镜像分析详细教程
[Autopsy数字取证篇]Autopsy案例创建与镜像分析详细教程 Autopsy是一款非常优秀且功能强大的免费开源数字取证分析工具.-[蘇小沐] 文章目录 [Autopsy数字取证篇]Autops ...
- 【SA8295P 源码分析】02 - SA8295P 整包镜像分析
[SA8295P 源码分析]02 - SA8295P 整包镜像分析 一.UFS LUNs 二.开机启动相关镜像介绍 三.QNX Host相关镜像介绍 四.Android GVM 相关镜像介绍 五.其他 ...
- android逆向分析概述_Android存储概述
android逆向分析概述 Storage is this thing we are all aware of, but always take for granted. Not long ago, ...
- Android JNI入门第五篇——Android.mk分析
转载请标明出处: http://blog.csdn.net/michael1112/article/details/56671708 江东橘子的博客 Android.mk文件是在使用NDK编译C代码时 ...
- Android多线程分析之二:Thread的实现
Android多线程分析之二:Thread的实现 罗朝辉 (http://www.cnblogs.com/kesalin/) CC 许可,转载请注明出处 在前文<Android多线程分析之一:使 ...
- Android内存分析和调优(上)
Android内存分析和调优(上) Android内存分析和调优(上) Android内存分析工具(四):adb命令 posted on 2017-09-25 19:29 时空观察者9号 阅读(... ...
最新文章
- log4j debug写法
- linux下VMware_Tools虚拟机工具的安装
- RedisTemplate和StringRedisTemplate使用
- C++工作笔记-对const_cast的理解
- java泛型特点_java泛型简单总结
- 程序员,学会这些技能让你的薪资翻倍!
- Java Redis 做分布式锁
- TensorFlow学习记录1-一些比较好的学习资源
- Java程序猿从笨鸟到菜鸟之(九十二)深入java虚拟机(一)——java虚拟机底层结构具体解释...
- 重置浏览器的css,css重置浏览器默认样式
- CREO:CREO软件之零件【模型】形状之拉伸、旋转、旋转混合的简介及其使用方法(图文教程)之详细攻略
- VAX 经常Parsing 整个项目/CPU负载过高解决办法
- C++算法——字幕校对问题
- 解决ValueError: too many values to unpack
- 浏览器通过原生JS实现录音功能
- 树莓派4B的引脚控制简单demo
- 修复iPhone8白屏的3种方法,可保留设备数据
- 《数论概论》读书笔记(第一章) 什么是数论?
- 全面支持 PyTorch 2.0:BladeDISC 5 月~11 月新功能发布
- 垃圾渗滤液处理常用的组合工艺
热门文章
- 花指令,LLVM简介
- python美食推荐系统 菜谱管理系统 django框架 购物车 网站 MySQL数据库 源码下载 计算机毕业设计
- cmd 运行不要显示黑色窗口
- X32dbg-查找MFC窗口过程函数-跟踪直到满足条件-条件断点-查看窗口句柄
- ACWing 2021寒假每日一题题解
- Htc one m7 港版5.12.708.3官方RUU系统备份
- 【html audio】播放音频
- NetworkX入门教程
- error: stray ‘\×××’ in program错误原因及解决方法
- 狂热的商城和被弃的淘宝